[OAUTH-WG] Critical vulnerability in JSON Web Encryption (#JWE) - RFC 7516 Invalid Curve Attack
Antonio Sanso <asanso@adobe.com> Mon, 13 March 2017 19:59 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36BCB129AF1 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 12:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dva6dER7UnVN for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 12:59:34 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0065.outbound.protection.outlook.com [104.47.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D139129AEE for <oauth@ietf.org>; Mon, 13 Mar 2017 12:59:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/h7Byi1xxQJyvjMAcqWHlhD9SDP8mfMjMjzWExkqgc0=; b=x7I+KPsUOLMP3lD4agngHQGszYRylL6XP+yGpxwy4xt/azNKyx6gxeuS1bmQ24PmiPXTq9KGwgCkRYl+azaRaMPwt5E8WP/4CMbHOBuuMHT/kL1sEkIpO+FXJ2VaLb0t4zIkxN0h1yZ4wPmXCCyxhHFf1OQ1lG6NOH/+d/JeSFU=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1031.namprd02.prod.outlook.com (10.161.203.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Mon, 13 Mar 2017 19:59:31 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0961.021; Mon, 13 Mar 2017 19:59:31 +0000
From: Antonio Sanso <asanso@adobe.com>
To: "<oauth@ietf.org>" <oauth@ietf.org>
Thread-Topic: Critical vulnerability in JSON Web Encryption (#JWE) - RFC 7516 Invalid Curve Attack
Thread-Index: AQHSnDRTr2o8qZRb/UWAQbK2O+rfCg==
Date: Mon, 13 Mar 2017 19:59:30 +0000
Message-ID: <AA6C5BBA-E21B-4BA2-8D76-FEC05C770383@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [85.5.8.6]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1031; 7:NRz2ZRA40FRJvu4Nzphfy/OCrv8SOwKT738/39sKeODBMP3+4/iHxCshLDseMLHqvQKazJKT5Bntbed5dR1RS+X+MN0GNfi49lBjyOEK20L48DlH4aRp0clCmsyRurM2EdJBB82bXFqcJh+TsxnGaBDl+O8aSYwCUGHYbzjrgfuI8hzIXgRlWfGtd1zKETyOklQAzy4wo5CAYy2SuJkYrhRmO1StNef8qud4aLczC9yKc4c5e/oqHohUUKEcv8GcSayP2i8v+L0a8OyLhexolkXbGCe4CashiTvFIRGxjcXm4eQlVw7Uj3yAF9A3NgPiRrDnAcDzvOLSX2bpRIrq+Q==; 20:2Fj5lUcgxPq6pqmyGrcOMJRs3uj5JS0aizh3GPO78qrLEin6JjSzo98jXsf7JVE0xE7s8yuBqdQZHudNjhefR18HF5++UlFj7scQmroEQDMQpgzAHkZ7+PYlbF8nYjkc3BycTxkTwOGaonPgGhdkZRA8Mwm9pvewVPFrkTzB31s=
x-ms-office365-filtering-correlation-id: bf0db5c5-37b5-434f-3909-08d46a4b76ca
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1031;
x-microsoft-antispam-prvs: <BY1PR0201MB1031AB2C3A6D7A2CDE645C50D9250@BY1PR0201MB1031.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(20161123555025)(6072148)(6042181); SRVR:BY1PR0201MB1031; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1031;
x-forefront-prvs: 0245702D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(122556002)(66066001)(2906002)(10090500001)(38730400002)(966004)(3280700002)(53936002)(110136004)(93376004)(6506006)(77096006)(6486002)(5660300001)(86362001)(54356999)(82746002)(83716003)(50986999)(15188555004)(3846002)(6116002)(102836003)(106116001)(81166006)(8676002)(33656002)(36756003)(3660700001)(8936002)(189998001)(25786008)(99286003)(305945005)(7736002)(6306002)(6436002)(6512007)(558084003)(2900100001)(569964009)(491001)(104396002)(15302535012); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1031; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:nov; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <84B2C06CF66C034D8A03A32792D75499@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2017 19:59:30.5700 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1031
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Uj49yvjxf4w4o8pi1tuPRKlJNgw>
Subject: [OAUTH-WG] Critical vulnerability in JSON Web Encryption (#JWE) - RFC 7516 Invalid Curve Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 19:59:36 -0000
hi *, sorry for cross posting with the jose mailing list http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html regards antonio
- [OAUTH-WG] Critical vulnerability in JSON Web Enc… Antonio Sanso